[squid-users] Block and allow connections by CA
Alex Rousskov
rousskov at measurement-factory.com
Thu Dec 19 20:47:55 UTC 2019
On 12/19/19 5:56 AM, PatrĂcia Sousa wrote:
> I would like to have an IoT device that only receives and sends requests
> to and from certain devices that belong and are authenticated by a
> specific certificate authority. Is it possible to block all other
> connections or only allow connections from devices that belong to a
> specific CA?
Yes, I believe it is possible:
* Squid can check (via an https_port configuration option) that a TLS
client possesses a certificate signed by a specific CA.
* Squid can check (via a ca_cert ACL) that a TLS server uses a
certificate signed by a specific CA. This ACL can be applied during
SslBump step3 processing, but there may be a way to sneak it in without
using SslBump (or such a way can be added by modifying Squid).
If ca_cert options are not enough, Squid can check other server
certificate properties via a custom certificate validation daemon (which
you would have to write). Or one could add support for more properties
to the ca_cert ACL.
Alex.
More information about the squid-users
mailing list